From 977a67e2fd21a31c92ab6e8583d42ba54fbe9fd8 Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Mon, 6 Jan 2025 14:48:07 -0500
Subject: [PATCH] Security changes...ssh/firewall

---
 hosts/default/configuration.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 83aec86..e2433d8 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -140,7 +140,7 @@
   # And system-specific settings:
   users.users.wolcen = {
     description = "Chris Thompson";
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdxdKYrlwOolJpYxvWu6gW/60pzT6aKN6JHhnTSBFqN wolcen@typhoon" ];
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdxdKYrlwOolJpYxvWu6gW/60pzT6aKN6JHhnTSBFqN wolcen@typhoon" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTFJeOIRwEw09EhFdssRHOdb+T7o84FC+ULMQzXDewE wolcen@wolcen-ThinkPad-X220" ];
     extraGroups = [ "networkmanager" "wheel" "docker" "dialout" ];
   };
 
@@ -163,7 +163,7 @@
 
   # For xdebug...verify actual necessity
   # Have had to use this, but I think it can be disabled still - perhaps w/xdebug binding setting...don't know.
-  networking.firewall.allowedTCPPorts = [ 9003 ];
+  #networking.firewall.allowedTCPPorts = [ 9003 ];
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
@@ -273,6 +273,7 @@
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
   services.openssh.ports = [ 2112 ]; # must be a list...for some reason.
+  services.openssh.settings.PasswordAuthentication = false;
   # Enable mobile shell (for roaming, intermittent connectivity, etc)
   programs.mosh.enable = true;